Search This Blog

Monday, October 08, 2007

Acrobat and Share Folders Security

I was at a local seminar organized by Adobe. Thanks for the invitation. However, one feature about commenting and approving of PDF was a bit of concern for me. This feature basically allow people (in their example, people from different department such as the technical and the sales etc) to share and comment or approve certain PDF via a common share folder without password.

Tell me what is the first thing in your mind.

.....

Well, if you are thinking about the problem with a common share folder then BINGO. This is so totally unrealistic (to me) and I pointed that out. But guess what? Adobe answered that this is a COMMON practise and asked the audience how many of them has that in their office and many hands were raised. Although my question was shot down, but now we have a bigger concern here now. How can company even allow a cross-department common share folder to exist? When I audit these company, I am so going to fail them... :)

Imagine finances need to prepae the quarter budget and needs some approving and they use this feature. Miss tom-dick-and-harry from the helpdesk will also have access to this SHARED and NON-PASSWORDED folder. And the budget is in the street in no time. Or if the latest technical details of the company's secret weapon is put up for approval, then before they could finish, their competitor somehow has already completed a prototype based on a "helpful" clerk in the company.

Firstly, in my own opinion, I am so against sharing of unencrypted folders. Then to make it worse, its to be a all-access password-less folder. If proper security is put in place, each department should be having their own passworded folders. Either Adobe has totally think people will not use this feature, or they have totally overlooked security as a design. I don't even want to go into their alternative "approval by email" option.